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CLAIMS 

For the convenience of the Examiner, all claims have been presented whether or not 
an amendment has been made. The claims have been amended as follows: 

1. (Currently Amended) A method of detecting polymorphic viral code in-a 
comput e r program , comprising: th e st e ps of: 

(a) emulating a first predetermined number of instructions of the a computer 
program; 

detecting at least one unused or misused operand or operator of the first 
predetermined number of instructions; 

(b) collecting information corresponding to a state of a plurality of registers and/or 
flags after emulating at least one instruction; each emulat e d instruction execution; and 

(e) determining a probability that the computer program contains polymorphic viral 
code based at least in part on an heuristic analysis of the collected rogister/flag stat e 
information. 

2. (Currently Amended) The method of claim 1, further comprising emulating a 
second predet e rmined number of additional instructions if the probability determined 
probability in st e p — (e) is above a predetermined threshold. , wherein the — s e cond 
predetermin e d numb e r of in s tructions is greater than the first pr e d e t e rmin e d numb e r of 
instructions. 

3. (Currently Amended) The method of claim 2, wherein the s e cond 
pr e d e t e rmin e d number of additional instructions corresponds correspond to execution of a 
polymorphic decryptor. 

4. (Currently Amended) The method of claim 1, further comprising monitoring 
detecting improper use of at least one of the plurality of registers and/or flags, for improp e r 
r e gister/flag usag e . 
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5. (Currently Amended) The method of claim 4, further comprising 
maintaining determining , for each of the plurality of registers and/or flags, a corr e sponding 
count of a number of times that the regist e r/flag register and/or flag was improperly used 
during the emulation of the first predetermined number of instructions, in s tructions in 
st e p (a). 

6. (Canceled) 

7. (Currently Amended) The method of claim 6^ 1, wherein detecting at least 
one unused or misused operand or operator comprises identifying at least one operand 
or operator that is not used during emulation of the first predetermined number of 
instructions, furth e r comprising d e t e cting wh e n an op e rand value of an instruction which is 
s e t is not us e d by th e instruction. 

8. (Currently Amended) The method of claim 67 1, wherein detecting at least 
one unused or misused operand or operator comprises identifying at least one undefined 
operand or operator used during emulation of the first predetermined number of 
instructions, furth e r comprising d e t e cting wh e n an und e fin e d operand of an instruction is 
used by th e instruction. 

9. (Currently Amended) A program storage device readable by a machine, 
tangibly embodying a program of instructions executable by the machine to perform a 
method st e ps for detecting polymorphic viral code in a subject computer program, the method 
st e ps comprising: 

emulating a selected number of instructions of the computer program; 

detecting at least one unused or misused operand or operator of the selected 
number of instructions; 

collecting information corresponding to a stat e of a plurality of rogistors/flags 
registers and/or flags after e ach e mulat e d instruction e xecution emulating at least one 
instruction ; and 

determining a probability that the computer program contains polymorphic viral code 
based at least in part on an heuristic analysis of the collected r e gist e r/flag stat e information. 
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10. (Currently Amended) A comput e r system for detecting polymorphic viral 
code , comprising: 

a processor; and 

a program storage device readable by the comput e r system, tangibly embodying a 
program of instructions executable by the processor to perform a method steps for detecting a 
polymorphic viral code in a subj e ct computer program, the method st e ps comprising: 

emulating a selected number of instructions of the computer program; 

detecting at least one unused or misused operand or operator of the 
selected number of instructions; 

collecting and storing information corresponding to a stat e of a plurality of 
regist e rs/flags registers and/or flags after e ach e mulat e d instruction e x e cution 
emulating at least one instruction ; and 

determining a probability that the computer program contains polymorphic 
viral code based at least in part on an heuristic analysis of the collected regist e r/flag 
stat e information. 

11. (Currently Amended) A computer data signal embodied in a transmission 
medium , the computer data signal embodying which embodies instructions executable by a 
computer to detect polymorphic viral code in a computer program , the computer data signal 
comprising: 

a first segment including emulator code to emulate a selected number of instructions 
of the computer program; 

a second segment including detection code to detect at least one unused or 
misused operand or operator of the selected number of instructions; 

a s e cond third segment including analyzer code to analyze a plurality of 
registers/flags registers and/or flags accessed during emulation of th e instructions at least 
one instruction ; and 

a third fourth segment including heuristic processor code to determine a probability 
that the computer program contains polymorphic viral code based at least in part on an 
heuristic analysis of the plurality of registers and/or flags, r e gist e r/flag stat e information 
suppli e d by th e analyzer cod e . 
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12. (Currently Amended) An apparatus for detecting polymorphic viral code in-a 
computer program , comprising: 

an emulator operable to emulate - — wher e in — the — e mulator — emulat e s a first 
predetermined number of instructions of the a computer program; 
an operational code analyzer that analyz e s operable to: 

detect at least one unused or misused operand or operator of the first 
predetermined number of instructions; and 

analyze a plurality of r e gist e rs/flags registers and/or flags accessed during 
emulation of th e instructions at least one instruction ; 
and 

an heuristic analyzer , wherein th e h e uristic analyz e r det e rmin e s operable to 
determine a probability that the computer program contains polymorphic viral code based at 
least in part on an heuristic analysis of the plurality of registers and/or flags, r e gister/flag 
stat e information supplied by the operational cod e analyz e r. 

13. (Currently Amended) The apparatus of claim 12, wherein the emulator is 
operable to emulates a second predetermin e d numb e r of additional instructions if the 
determined probability d e t e rmin e d by th e h e uristic analyz e r is above a predetermined 
threshold. , the s e cond pr e d e t e rmin e d numb e r of instructions b e ing gr e at e r than th e first 
pred e t e rmined numb e r of instructions. 

14. (Currently Amended) The apparatus of claim 13, wherein the s e cond 
pr e d e t e rmined numb e r of additional instructions corresponds to execution of a polymorphic 
decryptor. 

15. (Currently Amended) The apparatus of claim 12, wherein the operational 
code analyzer is operable to detect improper use of at least one of monitors the plurality of 
registers and/or flags, for improp e r r e gister/flag usag e . 

16. (Currently Amended) The apparatus of claim 15, wherein the heuristic 
analyzer maintains determines , for each of the plurality of registers and/or flags, a 
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corr e sponding count of a number of times that the r e gist e r/flag register and/or flag was 
improperly used during the emulation of the first predetermined number of instructions. 

e mulat e d instructions. 

17. (Canceled) 

18. (Currently Amended) The apparatus of claim ^ 12, wherein detecting at 
least one unused or misused operand or operator comprises identifying at least one 
undefined operand or operator used during emulation of the first predetermined 
number of instructions, th e op e rational code analyzer detects wh e n an op e rand valu e of an 
instruction which is set is not us e d by th e instructions. 

19. (Currently Amended) The apparatus of claim 4-7 12, wherein detecting at 
least one unused or misused operand or operator comprises identifying at least one 
undefined operand or operator used during emulation of the first predetermined 
number of instructions, th e op e rational cod e analyzer d e t e cts wh e n an und e fined operand of 
an instruction is us e d by th e instruction. 

20. (New) The method of claim 1, further comprising: 

identifying a polymorphic viral code associated with the computer program; and 
generating or modifying at least one rule based at least in part on the identification of 
the polymorphic viral code. 

21. (New) The method of claim 1, wherein the heuristic analysis is performed 
using at least one neural network. 

22. (New) The method of claim 2, wherein the additional instructions are more 
than the first predetermined number of instructions. 

23. (New) The method of claim 5, wherein the heuristic analysis comprises 
comparing the number of times that the register and/or flag was improperly used with the first 
predetermined number of instructions. 
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24. (New) The method of claim 5, wherein the heuristic analysis comprises 
comparing the number of time that the register and/or flag was improperly used with statistics 
corresponding to a plurality of polymorphic viral codes. 

25. (New) The method of claim 7, wherein the determined probability is based at 
least in part on the identification of the at least one unused operand or operator. 

26. (New) The method of claim 8, wherein the determined probability is based at 
least in part on the identification of the at least one undefined operand or operator. 

27. (New) The apparatus of claim 12, wherein at least one of the emulator, 
operational code analyzer, or heuristic analyzer is further operable to: 

identify a polymorphic viral code associated with the computer program; and 
generate or modifying at least one rule based at least in part on the identification of 
the polymorphic viral code. 

28. (New) The apparatus of claim 12, wherein the heuristic analysis is performed 
using at least one neural network. 

29. (New) The apparatus of claim 13, wherein the additional instructions are more 
than the first predetermined number of instructions. 

30. (New) The method of claim 16, wherein the heuristic analysis comprises 
comparing the number of times that the register and/or flag was improperly used with the first 
predetermined number of instructions. 

31. (New) The method of claim 16, wherein the heuristic analysis comprises 
comparing the number of time that the register and/or flag was improperly used with statistics 
corresponding to a plurality of polymorphic viral codes. 
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32. (New) The method of claim 18, wherein the determined probability is based at 
least in part on the identification of the at least one unused operand or operator. 

33. (New) The method of claim 19, wherein the determined probability is based at 
least in part on the identification of the at least one undefined operand or operator. 
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